Cisco Cisco ASA for Nexus 1000V Series Switch Guía Para Resolver Problemas
Android L2TP/IPSec requires Cisco ASA software version 8.2.5 or later, version 8.3.2.12 or later, or
version 8.4.1 or later.
version 8.4.1 or later.
•
ASA supports Secure Hash Algorithm 2 (SHA2) certificate signature support for Microsoft Windows
7 and Android−native VPN clients when the L2TP/IPSec protocol is used.
7 and Android−native VPN clients when the L2TP/IPSec protocol is used.
•
See Cisco ASA 5500 Series Configuration Guide using the CLI, 8.4 and 8.6: Configuring L2TP over
IPSec: Licensing Requirements for L2TP over IPSec.
IPSec: Licensing Requirements for L2TP over IPSec.
•
The information in this document was created from devices in a specific lab environment. All of the devices
used in this document started with a cleared (default) configuration. If your network is live, make sure that
you understand the potential impact of any command.
used in this document started with a cleared (default) configuration. If your network is live, make sure that
you understand the potential impact of any command.
Configure
This section describes the information one would need in order to configure the features described in this
document.
document.
Configure the L2TP/IPSec Connection on the Android
This procedure describes how to configure the L2TP/IPSec connection on the Android:
Open the menu, and choose Settings.
1.
Choose Wireless and Network or Wireless Controls. The available option depends on your version of
Android.
Android.
2.
Choose VPN Settings.
3.
Choose Add VPN.
4.
Choose Add L2TP/IPsec PSK VPN.
5.
Choose VPN Name, and enter a descriptive name.
6.
Choose Set VPN Server, and enter a descriptive name.
7.
Choose Set IPSec pre−shared key.
8.
Uncheck Enable L2TP secret.
9.
[Optional] Set the IPSec identifier as the ASA tunnel group name. No setting means it will fall into
DefaultRAGroup on the ASA.
DefaultRAGroup on the ASA.
10.
Open the menu, and choose Save.
11.
Configure the L2TP/IPSec Connection on ASA
These are the required ASA Internet Key Exchange Version 1 (IKEv1) (Internet Security Association and Key
Management Protocol [ISAKMP]) policy settings that allow native VPN clients, integrated with the operating
system on an endpoint, to make a VPN connection to the ASA when L2TP over IPSec protocol is used:
Management Protocol [ISAKMP]) policy settings that allow native VPN clients, integrated with the operating
system on an endpoint, to make a VPN connection to the ASA when L2TP over IPSec protocol is used:
IKEv1 phase 1 − Triple Data Encryption Standard (3DES) encryption with SHA1 hash method
•
IPSec phase 2 − 3DES or Advanced Encryption Standard (AES) encryption with Message Digest 5
(MD5) or SHA hash method
(MD5) or SHA hash method
•
PPP Authentication − Password Authentication Protocol (PAP), Microsoft Challenge Handshake
Authentication Protocol version 1 (MS−CHAPv1), or MS−CHAPv2 (preferred)
Authentication Protocol version 1 (MS−CHAPv1), or MS−CHAPv2 (preferred)
•
Pre−shared key
•
Note: The ASA supports only the PPP authentications PAP and MS−CHAP (versions 1 and 2) on the local
database. The Extensible Authentication Protocol (EAP) and CHAP are performed by proxy authentication
servers. Therefore, if a remote user belongs to a tunnel group configured with the authentication eap−proxy
or authentication chap commands and if the ASA is configured to use the local database, that user will be
unable to connect.
database. The Extensible Authentication Protocol (EAP) and CHAP are performed by proxy authentication
servers. Therefore, if a remote user belongs to a tunnel group configured with the authentication eap−proxy
or authentication chap commands and if the ASA is configured to use the local database, that user will be
unable to connect.